On November 9, 2021, the U.S. Securities and Exchange Commission (SEC) Division of Examinations (EXAMS) released a risk alert (Risk Alert) concerning deficiencies it observed in its examinations of advisers providing electronic advisory services, including advisers known as “robo-advisers.”1 Those deficiencies were in the areas of the robo-advisers’ compliance programs, portfolio management practices (including advisers’ fiduciary obligations), and marketing/performance advertising.
The Risk Alert also identified issues related to many robo-advisers’ registration with the SEC as an investment adviser, particularly firms registering on the basis of Rule 203A2(e) of the Investment Advisers Act of 1940, as amended (Advisers Act). The Risk Alert also highlights concerns with robo-advisers’ reliance on, or adherence to, Rule 3a-4 under the Investment Company Act of 1940, as amended (Company Act). Specifically, the EXAMS staff reminded robo-advisers of the need to follow applicable registration requirements, exemptions, and safe harbors, both under (1) the Advisers Act, to be properly registered with the SEC, either as an Internet adviser relying on Advisers Act Rule 203A2(e) or another applicable provision or exemption, and (2) the Company Act, to avoid having their discretionary investment program deemed an unregistered investment company.
More broadly, the EXAMS staff encouraged robo-advisers to revisit their compliance programs, disclosures, portfolio management, and marketing materials for compliance with relevant rules and regulations based on their electronic advisory services offerings. The Risk Alert serves as a reminder to advisers to disclose accurately and completely their practices, and to design compliance programs and testing to ensure that those practices are followed on an ongoing basis.
Compliance, Portfolio Management, Advertising, and Cybersecurity Observations
Significant takeaways come from EXAMS’ observations regarding how robo-advisers can address specific areas of observed deficiencies and improve firms’ compliance practices, including the following:
- adopting written policies and procedures tailored to the adviser’s practices as a robo-adviser and implementing and following those practices
- testing investment algorithms periodically to ensure that such algorithms are operating as expected and documenting the results of any testing
- safeguarding algorithms to prevent unintended or unauthorized changes through the use of access restrictions or changing control protocols
- confirming that performance advertising and marketing practices comply with the requirements of Advisers Act Rule 206(4)-1
- reviewing the robo-adviser’s cybersecurity practices for the protection of client information
EXAMS also noted portfolio management practices that robo-advisers should revisit to confirm appropriate account oversight, including:
- reviewing policies designed to confirm that investment advice being provided is in each client’s best interest based on the client’s investment objectives
- confirming operational and supervisory controls for automated platforms and the proper functioning of investment algorithms, with a focus on addressing the risk of any algorithm’s producing unintended and inconsistent results (e.g., due to coding errors or unusual market conditions)
- assessing best execution for trading of accounts on automated platforms
EXAMS’ recommendations arose from identified deficiencies where the examined advisers:
Compliance Programs
- lacked adequate compliance programs, typically due to not having any written policies and procedures, not implementing or testing such policies or having policies and procedures that were insufficient for the applicable adviser’s operations,
- lacked controls for disclosures, which contributed to inaccurate or incomplete disclosures concerning conflicts of interest, advisory fees, investment practices, and ownership structure
- included hedge clauses or other exculpatory language in service agreements or disclosures that did not necessarily align with their fiduciary duty
Portfolio Management
- lacked policies and procedures to assess whether the robo-adviser’s algorithms were performing as intended or whether asset allocation and/or rebalancing services were occurring as disclosed; and/or data aggregation services were not impairing the safety of clients’ assets as a result of the adviser’s having direct or indirect access to clients’ credentials
- did not test the investment advice generated by their platforms to clients’ stated or platform-determined investment objectives or otherwise did not satisfy their duty of care
Marketing and Advertising
- lacked procedures to detect inadequacies or noncompliance with marketing and performance advertising practices, resulting in advertisement-related deficiencies, including
- having misleading or prohibited statements on their websites
- having materially misleading performance advertisements on their websites, including hypothetical performance results of an investment model applied retroactively
- providing inadequate or insufficient disclosure concerning “human” services
Cybersecurity Programs
- lacked policies and procedures protecting the firm’s systems and responding to cybersecurity events
- were not in compliance with Regulation S-ID or Regulation S-P because they
- had “covered accounts” but lacked written policies and procedures designed to detect, prevent, and mitigate identity theft,
- lacked or did not implement written policies and procedures addressing compliance with certain elements of Regulation S-P, and/or
- did not deliver initial and/or annual privacy notices to all clients.
Registration Observations
EXAMS observed that nearly half the advisers claiming eligibility to register with as an investment adviser pursuant to Rule 203A2(e) were ineligible to do so, and many other advisers were not otherwise eligible for SEC registration as an investment adviser because such advisers did not have an interactive website or had advisory personnel who could provide investment advice directly to clients (in addition to the advice provided through the interactive website). EXAMS also observed that some advisers’ affiliates were operating as unregistered investment advisers because while the affiliates were operationally integrated with the respective advisers, the affiliates themselves were not eligible to register as with the SEC internet advisers.
EXAMS reminded robo-advisers that failure to satisfy all of the elements of the safe harbor from the definition of “investment company” under Rule 3a-4 of the Company Act may result in their activities being subject to the rules and requirements applicable to investment companies. Moreover, these types of registration issues can result in enforcement charges.
Specifically, the Risk Alert identified specific safe harbor-related deficiencies where such robo-advisers
- were unaware that the discretionary investment advisory programs that the advisers sponsored may be unregistered investment companies, and some did not claim reliance on the safe harbor
- claimed to rely on the safe harbor, but their policies and procedures were either inadequate in addressing adherence with the safe harbor or were not implemented
- did not obtain —or did not contact clients annually to update — information from each client regarding the client’s financial situation and investment objectives necessary in order to provide the client with individualized advice, or inquire as to whether the client wished to impose any reasonable restrictions on the management of their account
- failed to provide clients with quarterly statements with activity information
- did not ensure clients retained the indicia of ownership because, for example, the adviser either restricted the client’s ability to withdraw cash or securities from the accounts or the adviser did not allow the client to vote proxies
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship.
Attorney Advertising - For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.